I am trying to generate JWT from WSO2 token endpoint using password and client credentials approach but not finding difference in sub claim value. Its always pointing to user id only, shouldn't it have application id/client id in sub claim for JWT generated using client credential approach ?
ex:
Token obtained using password grant:
Request:
POST https://localhost:8243/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic
UnNOYWY5ams2MERCM2tXQ292ZGZEZnRTWklvYToxU1o0alg1bW5YV2lBT3BkYjRReFhmS09VN1lh
Host: localhost:8243
Content-Length: 53
grant_type=password&username=api3dev&password=api3dev
JWT in response
{"typ":"JWT","alg":"RS256","x5t":"NTdmZjM4ZDk3NjY0Yzc5MmZmODgwMTE3MWYwNDE5MWRlZDg4Nzc4ZA=="}
{"aud":"http://org.wso2.apimgt/gateway","sub":"api3dev#carbon.super","application":{"owner":"api2dev","tierQuotaType":"requestCount","tier":"Unlimited","name":"demoapp_oriKeymgr","id":68,"uuid":null},"scope":"default","iss":"https://localhost:9443/oauth2/token","tierInfo":{"Unlimited":{"tierQuotaType":"requestCount","stopOnQuotaReach":true,"spikeArrestLimit":0,"spikeArrestUnit":null}},"keytype":"PRODUCTION","subscribedAPIs":[{"subscriberTenantDomain":"carbon.super","name":"PizzaShackAPI","context":"/pizzashack/1.0.0","publisher":"admin","version":"1.0.0","subscriptionTier":"Unlimited"}],"consumerKey":"RsNaf9jk60DB3kWCovdfDftSZIoa","exp":1600502664,"iat":1600499064,"jti":"426d64a9-932b-4f0c-b396-202fd03dd960"}
Token obtained using client credential:
Request:
POST https://localhost:8243/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic UnNOYWY5ams2MERCM2tXQ292ZGZEZnRTWklvYToxU1o0alg1bW5YV2lBT3BkYjRReFhmS09VN1lh
Host: localhost:8243
Content-Length: 29
grant_type=client_credentials
JWT in response
{"typ":"JWT","alg":"RS256","x5t":"NTdmZjM4ZDk3NjY0Yzc5MmZmODgwMTE3MWYwNDE5MWRlZDg4Nzc4ZA=="}
{"aud":"http://org.wso2.apimgt/gateway","sub":"api2dev#carbon.super","application":{"owner":"api2dev","tierQuotaType":"requestCount","tier":"Unlimited","name":"demoapp_oriKeymgr","id":68,"uuid":null},"scope":"am_application_scope default","iss":"https://localhost:9443/oauth2/token","tierInfo":{"Unlimited":{"tierQuotaType":"requestCount","stopOnQuotaReach":true,"spikeArrestLimit":0,"spikeArrestUnit":null}},"keytype":"PRODUCTION","subscribedAPIs":[{"subscriberTenantDomain":"carbon.super","name":"PizzaShackAPI","context":"/pizzashack/1.0.0","publisher":"admin","version":"1.0.0","subscriptionTier":"Unlimited"}],"consumerKey":"RsNaf9jk60DB3kWCovdfDftSZIoa","exp":1600502788,"iat":1600499188,"jti":"8091497e-9978-4541-99b9-efca50b16868"}
In above example you can see sub claim is always having user id only.
In WSO2 API Manager when you generating an access_token with client_credentials, sub claim is populated with the owner of the application (service provider). I am not sure that in client credentials the sub claim should be populated with client_id of the Oauth2 application, thought client credentials is a machine-machine authz process without user credentials, so sub (subject) claim should be a user, in this case the owner. For me it is a correct value.
Related
I have create a service provide use OIDC. When I login to this.'invalid_grant, Invalid authorization code received from token request' Occured. How can I change my configuration on service provide so that I can login?
Thanks
This should not be a configuration issue in most of the cases and might be an issue with the token request which you send to exchange the authorization code into an access token.
Tip: You may validate whether the client id used in the /oauth2/authorize request is matching with the one sent in the /oauth2/token request.
I am trying to call this web api using postman. In order to use it you must apply for a personal token via email before (see here at the beginning of the page indicated as "Personal token request", you must send an email requesting a personal token).
So I have requested a personal token and once I have it I am trying to call above indicated method, this one.
So I configure postman as below screenshots show. I only fill in the Authorization (with my token) and the headers tabs. I indicate GET as verb and as url: https://api.esios.ree.es/indicators
Authorization:
Headers:
When I send the request I get error:
HTTP Token: Access denied.
UPDATED:
It doesn't work...
UPDATED - ATTEMPT #2
Finally I have solved it by setting authorization "No Auth" in Authorization tab and instead set Authorization token in the header tab.
I am looking to create an API using the Django REST Framework which will authenticate using a separate authentication server by means of its introspection endpoint. The authorization flow should look something like the following.
The client provides either user credentials or a refresh token to the token endpoint on our authentication server.
If the provided credentials or refresh token are valid, the authentication server responds with an access token and a refresh token.
The client then sends the access token to the API when requesting a resource.
The API verifies the provided access token using the introspection endpoint on our authentication server.
The authentication server responds letting the API know if the access token is valid.
If the access token is valid, the API responds to the client with the requested resources.
Step 4 is the part I'm after, and the Django OAuth Toolkit looks like it provides an option for exactly this. In the section about setting up a separate resource server it states that it allows the application to verify access tokens by use of an introspection endpoint.
So I followed the setup for the Django OAuth Toolkit, and pointed the RESOURCE_SERVER_INTROSPECTION_URL toward the introspection endpoint on our authentication server. Then I acquired an access token from our authentication server and provided it to the API as an Authorization header, but I get the following response.
Content-Type: application/json
WWW-Authenticate: Bearer realm="api",error="invalid_token",error_description="The access token is invalid."
Vary: Accept
Allow: GET, HEAD, OPTIONS
Content-Length: 58
{
"detail": "Authentication credentials were not provided."
}
If I don't provide a token I get the same response body, but no WWW-Authenticate header. The strange part is that the introspection endpoint never receives a POST request, which it should be sending to verify the access token.
So did I misread the documentation, or am I doing something wrong? Why isn't this working as I expect?
I am setting up WSO2 API Manager and secure API with self contained access token (JWT). Here's a link i followed to protect your APIs with self contained access token (JWT) using WSO2 API Manager and WSO2 Identity Server.
I am getting JWT token from the WSO2 identity server. But when I tried to get access token using the JWT token from WSO2IS, I am getting following error
HTTP/1.1 400 Bad Request
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Date: Thu, 29 Aug 2019 11:53:42 GMT
Content-Type: application/json
Content-Length: 146
Connection: close
Server: WSO2 Carbon Server
{"error_description":"None of the audience values matched the tokenEndpoint Alias https://172.28.1.101:9444/oauth2/token","error":"invalid_grant"}
I assume that you are using Oauth 2 Authorization code grant type. You have taken a JWT and then using that you are trying to get the access token. In your service provider configuration under Inbound Authentication Configuration under OAuth/OpenID Connect Configuration if you click edit there is a checkbox field named Enable Audience Restriction. Add the https://172.28.1.101:9444/oauth2/token as an audience. Then try the flow. For more information refer
https://docs.wso2.com/display/IS570/Configuring+Inbound+Authentication+for+a+Service+Provider
OAuth/OpenID Connect Configuration
I recently posted a problem I was having with authentication, but didn't receive any replies so I thought of another way to ask the question without being redundant.
What I'm seeing in the applications documentation are three ways to pass the access token to authenticate and receive the information that I'm trying to get: HTTP Digest auth, HTTP Basic auth, and Bearer token auth. The distinctions between these is unclear to me, and my attempts at Bearer token auth (check out STEP 5) have not worked.
Can someone explain what these three are and hopefully point out what I'm doing wrong?
"HTTP Basic Auth" and "HTTP Digest" authenticate using username and secret. The HTTP Digest auth is more secure as it don't send username and secret as plain text.
"HTTP Bearer Auth" authenticate using access_token.
Your HTTP Bearer Auth code looks ok to me.
There is not much difference between HTTP Basic Authentication and HTTP Digest Authentication.
For basic Auth Before request with the oAuth system user name is appended with a colon and concatenated with the password. The result will than be encoded with the Base64 algorithm.
For example say username is demo and your access_token is 123 so in this case the resulting string after concatenation will be 'demo:123' and once we apply Base64 encode, it will become ZGVtbzoxMjM=
Now this encoded string is transmitted in the HTTP header and decoded by the oAuth provider.Again this is not a very strong encoding mechanism and can easily be decoded as this Auth system is not meant for very high secure system.
Again Digest also use HTTP protocol to send and recieve data but its much better than basic OAuth which send data in plaintext.Digest uses MD5 cryptographic hashing type of algorithm to encrypt your password/access_token and beside this it use nonce value to stop replay attack.
Hope this will give you some idea about the way they work.
Update
i just saw the code at Gimme bar
GET /api/v0/tags HTTP/1.1
Host: gimmebar.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-us) AppleWebKit/533.6+ (KHTML, like Gecko) Version/4.0 Safari/528.16 Titanium/1.1.0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Authorization: Digest username="funkatron", realm="GimmeBarAPI", nonce="7a3ab1f9cde605f27797cd04c4d1fcf6", uri="/api/v0/tags", response="3654f9b1b2ba9489e1f01ae792852987", opaque="94619f8a70068b2591c2eed622525b0e", algorithm="MD5", cnonce="6897ccbff3b08776ab61e69a814c05b4", nc=00000001, qop="auth"
Connection: keep-alive
and if you see while sending the request they are passing the hashing algorithm used along with nonce,username.So all they are creating them in there application and placing in the header section.All you need to find what header name we need to put.
The bearer token is generated server side when you authenticate against the server. Then for any subsequent request you supply the generated bearer token in the request header.
From a security perspective these tokens get generated using a private key, only the server authenticating the user knows this key
Look at jwt they have really good documentation on this specific topic
The gimmebar documentation is pretty clear on how to gain access
POST /api/v0/auth/reqtoken HTTP/1.1
Response Message
{"request_token":"390a9b193fc51be1a78d13bf69555212","expires":1309375411}